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Abstract. There are numerous subexponential algorithms for computing dis¬ 
crete logarithms over certain classes of finite fields. However, there appears 
to be no published subexponential algorithm for computing discrete logarithms 
over all finite fields. We present such an algorithm and a heuristic argument 
that there exists a c € 9t>o such that for all sufficiently large prime powers 
p n , the algorithm computes discrete logarithms over GF(p n ) within expected 
time: p < '< Io s<p”) 1o 8 |o s(p' , )) i/2 . 


1. Introduction 

Given a , /? in a finite field, the discrete logarithm problem is to calculate an 
x e Z>o (if such exists) such that 

a* = p. 

Interest in the discrete logarithm problem stems from the advent of public key 
cryptography, and with it the creation of cryptographic systems, which depend 
for their security on the difficulty of computing such logarithms (e.g., [10, 12]). 
While researchers have been successful in developing subexponential algorithms 
for computing discrete logarithms in finite fields of special form, no subexponen¬ 
tial algorithm for computing discrete logarithms in all finite fields has emerged. 
We present such an algorithm along with a heuristic argument that there exists 
ace fK>o such that for all sufficiently large prime powers p" , the algorithm 
computes discrete logarithms over GF (p n ) within expected time: 

^c(log(p' , )loglog(p")) 1/2 > 

There exist several algorithms which for all primes p € Z>o compute discrete 
logarithms over GF(p) in time subexponential in p (e.g., [1, 15]). Further, for 
all primes p e Z>o , there exist algorithms which for all n e Z >0 compute 
discrete logarithms over GF (p n ) in time subexponential in p n (for p = 2, this 
was first shown by Heilman and Reyneri [17] and improved by Coppersmith 
[8]; however, these approaches appear to generalize to an arbitrary prime p). 
Recently, Gordon [16] has announced that for all n € Z >0 , there exists an algo¬ 
rithm which for all primes p € Z >0 computes discrete logarithms over GF (p n ) 
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in time subexponential in p n (the case n = 2 was previously established by 
ElGamal [13]). The previously most general subexponential algorithm appears 
to be that of Lovom [21], which computes discrete logarithms in GF (p n ) for 
log(p) < n 0 - 98 . 

Our subexponential method for all finite fields actually consists of two al¬ 
gorithms. They both may be described as “index calculus” methods [29, 23], 
The first algorithm is for the case n < p. Here, GF (p n ) is represented by 
0/(p ), where O is a number ring and (p) is the prime ideal generated by p . 
An element of 0/(p) is considered “smooth” if and only if, when considered 
as an element of O, the ideal it generates factors into prime ideals of small 
norm. The second algorithm is for the case n > p. Here, GF(p") is repre¬ 
sented by (Z/pZ[x])/(/), where f eZ/pZ[x\ is irreducible. An element of 
(. Z/pZ[x])/(f ) is considered “smooth” if and only if, when considered as an 
element of Z/pZ[x ], it factors into irreducible polynomials of small degree. 

While the second algorithm is rather “routine”, an overview of the first al¬ 
gorithm may be useful. Consider computing the discrete logarithm of /? with 
respect to the base a over GF(p), where p is prime. One can obtain a subexpo¬ 
nential algorithm by representing GF (p) by Z/pZ and generating random in¬ 
teger pairs ( r,s ), calculating y = a r P s mod p , and keeping the triple (r,s, y) 
if and only if y is 5-smooth for an appropriate choice of 5. When sufficiently 
many such good triples {r\, S\, y\),... , {r z , s z , y z ) have been obtained, one 
can use linear algebra modulo p - 1 to calculate a\, a 2 , ... , a z £ Z>g _l such 
that 

/=i 

for some integer S , and hence that 

(1) a k P l = 1 mod p , 

where k = £f=i aj, and / = YZ=\ a i s i ■ Generating such k , / pairs is tanta¬ 
mount to calculating the desired discrete logarithm. 

Our first algorithm is a generalization of this approach to GF(p"). By finding 
a number field of degree n over the rationals such that p is inert, GF (p n ) can 
be represented by O/pO , where O is the ring of integers in the number field. 
One can then proceed as before by generating random integer pairs ( r,s ), 
calculating y = a s fi r mod p , and keeping the triple (r , s , y) if and only if y 
is 5-smooth for an appropriate choice of 5. However, because O need not 
be a UFD, the notion of 5-smoothness is generalized to mean that the ideal 
generated by y is the product of prime ideals of small norm. Unfortunately, 
there are now two obstacles. First, y will have an adequate chance of being 
5-smooth if and only if its absolute norm is small. We were only able to prove 
that this would be the case when the field in question was a subfield of a small- 
degree cyclotomic field. For this reason, cyclotomic polynomials and Gauss’ 
theory of periods arise in the paper. 

The second obstacle results from the linear algebra. We do not obtain J]/=i ’/?' 
= S p "~ l for some (algebraic) integer S as above. Rather, we obtain 
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for some ideal ICO. An algebraic integer, like J|f=i Y? » which generates an 
ideal which is the (p n - l)st power of an ideal is called a (p n - l)-singular 
integer. 

One can define two ( p n - l)-singular integers to be equivalent if and only if 
their ratio is the (p n — 1 )st power of an element of the field. The equivalence 
classes form an Abelian group. The identity of this group is the class containing 
the (p n - 1 )st powers of algebraic integers. This group is generated by a small 
number h of elements (h depends on the structure of the ideal class group and 
the rank of the unit group in O ). From this, the main virtue of singular integers 
follows: if h of them can be obtained, then there will exist a linear combination 
which is the ( p n - l)st power of an algebraic integer. Thus, in the algorithm we 
will collect a number h of ( p n - 1 )-singular integers 7i, Yi , ... , Yh > as above, 
and then find b \, bi ,..., bh € Z>g" _1 such that 

n 

i=i 

for some algebraic integer 8 e O. From this, k and / as in equation (1) can 
be obtained in a straightforward way. 

There remains the problem of calculating the b\,bi,...,bh described above. 
This is done with the device of “character signatures”, which were introduced 
in the context of integer factoring [2]. The character signatures occurring in 
integer factoring are simpler than those occurring here, and a review of that 
setting may be rewarding. 


2. Preliminaries 

In this section some basic facts are presented. 

Singular integers and character signatures. Here, some notions presented in [2] 
in the context of integer factoring are generalized. 

Definition. For all number fields K with ring of integers O , for all 5 € Z>o, 
and for all a e O , a is an 5 -singular integer (with respect to O) if and only 
if there exists an ideal ICO such that (a) = I s . 

Let K be a number field with ring of integers O , unit group E , and ideal 
class group C. Let s e Z>o, and let a , r be 5-singular integers. Define a « r 
if and only if there exists a, /? e O such that a s o = fi s x. Then « is an 
equivalence relation on 5 -singular integers, and the set of equivalence classes 
forms a group G(s) of exponents dividing s , with identity I(s) — {a s |a € O} 
under the operation [a][/?] [a(3]. There is a homomorphism y/ from G(s) 
onto the group C(s) — {c\c € C & c s = [(1)]}, [a] & [/], where (a) = I s . 

The kernel of y/ is Ker(^) = {[u]\u e E ), and consequently Ker(y/) = 
E/E s . Hence, 

(*) G(s) = E/E s ® C(5). 

Definition. For all number fields K with ring of integers O , for all s e Z>o , 
for all prime ideals P\, Pj,, P z c O , for all l\,h,... ,l z € O , and for 
all a € O : if for i = l ,2,, z , (a) + P, - (1), s\(N(Pi) - 1), and /, + P, 
is a primitive 5th root of unity in O/P *, then the 5-character signature of a 
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with respect to ( P\, l\), {P 2 , l 2 ),... , (P z , l z ) is {e\,ei, , e z ), where for 

i = \ ,2, , z , = If mod P, and e, e Z> q . 

Now assume that K is Abelian over Q ; then it follows from the Cebotarev 
density theorem that for all 5 € Z >0 , for all prime ideals P\,P 2 , ... , P z cO, 
and for all c e G(s), there exists a a e O such that [a] = c , and for 
i = 1,2,... , 2 , (o) + Pi = (1). For (/»,,/,), (P 2 ,/ 2 ),...,(P Z ,/ Z ) as 
above, let the map 6 take c to the 5 -character signature of a with respect 
to (Pi ,l\),{Pi,h),...,{P z , l z ). The map 8 is well defined on G{s) and is 
a group homomorphism into 0 Z =1 Z s . 

Dependencies in Abelian groups. It is well documented how to find dependen¬ 
cies among elements of a vector space over a finite field. However, in Algorithms 
I and II, and many other factoring and discrete logarithm algorithms, it is nec¬ 
essary to find dependencies in modules over Z/mZ , where m is not prime. 
While in many papers this issue is taken for granted, we have included some of 
the relevant facts here. Readers may prefer to skip this exposition. 

Theorem. Let p e Z >0 be prime, and let G = 0" =1 Gj, where for j = 1,2, ... , 
n, Gj is cyclic of pth power order. Let hi, hi,..., h n+ \ e G. There exist 
a\,ai,..., a n+ i e Z such that GCD(ai , a 2 , ... , a n+l ) = 1 and /?,a, = 
0. 

Proof. For n = 1, let g be a generator for G , and let h\ = X\g and h 2 = x 2 g. 
Then without loss of generality there exist b\, b 2 e Z and / e Z> o such that 
(b\, p) = \, X\ = p f b \, and x 2 = p { b 2 . Let c e Z be such that cb\ = 
1 mod p e , where p e is the order of G , and let < 2 ! = -cb 2 ; then a\h\ +h 2 = 0. 

For n > 1, let gj be a generator for Gj for j = \ ,2, ... , n. For i - 
1,2+ 1, let 

n 

h i = ^2 e ij8j- 
;=i 

Let p^||GCD(ei, i, £ 2 , 1 , .,i); then without loss of generality it can 
be assumed that e\,\ = pfa , where ( a,p) = 1. Consequently, for i = 
2,3,...,n + l, there exist bj € Z such that 

K = h > ~ b ‘ h \ e ® G i- 

7=2 

By induction, there exist a 2 ,a 2 ,...,a n+i €Z such that GCD(a 2 , a 2 ,...,a n+ 1 ) = 

1 and 2 a iK = 0 • ^ et = _ Yllli a i b i ; then a t , a 2 ,... , a n+ \ are as 
desired. □ 

Corollary. Let n , s e Z>o, and let G be a finite Abelian group of exponent 
dividing s such that G = 0” = i , where for i = 1, 2, ... , n, Gj is cyclic. 

Let hi , h 2 ,... , h„ +i e G. There exist a\, a 2 , ... , a n+ \ e Z>^ such that 

GCD(aj , a 2 , ... , a n+i ) - 1 and a > b i = 0. 

Proof. We have G ~ 0 G p , where G p denotes the p-Sylow subgroup of G 
and the product is over all rational primes p . Applying the theorem for each 
G p {0} and using the Chinese Remainder Theorem yields b\,b 2 , ... , b „+1 6 
Z>o such that GCD(6], b 2 , ..., b n+ i , 5 ) = 1 and X7= i' b > b ‘ = 0- F° r 1 - 
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1, 2,... ,n+l ,let c, = bimods and c, € Z< s 0 . Let d = GCD(ci, c 2 , ... ,c n+ \). 
For i - 1,21, let = Cj/d. The a \, a 2 ,..., a n+ \ are as de¬ 
sired. □ 

Subfields of cyclotomic fields. Let q G Z>o be prime, and let n\q — 1; then 
there exists a unique field K q<n c Q(C q ), the q\h cyclotomic field, such that 
[K q , n : Q] = n . The following are well known [11]: 

1. The ring of integers of K q<n is O qn = Z[r\ 0 , rj i,, t] n - 1 ], where for 
1 = 0, 11, rji = rj q<n j = C q , the sum being taken over the 

set of a e Z^~' such that ind(a) = i mod n , where ind(a) denotes 
the index of a in Z/qZ* with respect to a fixed generator. 

2. K q> n = Q(*lo) (however, there exist q , n such that O q ^ n j^ Z[q 0 ]). 

3. The minimum polynomial for rjo over Q is f - f q , n = n7=To' ( x ~ r h) • 

4. If p G Z>o is prime and p is inert in K q>n , then O q<n /{p) is a finite 
field with p n elements and 

R = R q n 'P — ^ ^ ( Ujt]i\cii G Z^ , 1=0, 111 

is a complete set of representatives. 

Arithmetic in K qt „ may be done as follows (our description is essentially 
that of Edwards [11], which in turn is derived from Kummer). 

Elements in O q; „ will be represented in terms of the integer basis q 0 , rj\, , 

1]n—\ • 

First, for i, j, k e Z^q calculate c ; y * G Z such that 

n -1 

tlitlj = ^2c iJ<k t] k -, 
k=0 

then multiplication in O q , „ is straightforward. 

Prime ideals of O q n will be represented as follows. Let s ^ q be a rational 
prime, and let / be the order of s in Z/qZ*. Let e = (q ~ 1)//; then the 
splitting field of 5 is K q>e . Let g = (e, n); then 5 splits into g distinct prime 
ideals of residue class degree n/g in O q<n - 

Let h G Z/sZ[x] be an irreducible factor of f q , q -\ - x q ~ x -\ - (-x+1 (the 

< 7 th cyclotomic polynomial), and let a be a generator for GA.L(Q(£ q )/Q) (the 
construction which follows produced the correct outcome for all choices). 

For i = 1,2, ..., g , let 5, c O q ><? _i be the prime ideal generated by s and 
(h{C q )Y ‘, and let S t = 5, n O qt „ . Then ( 5 ) = nf=i s > is the prime decomposi¬ 
tion of s in Oq „ . 

For i = 1,2 , ... , g and j = 0, 1, ... , e - 1, calculate Ujj G Z^ such 
that 

Mi .j — bq ,e ,j mod Si 

(such Ujj always exist [11]). Let U = {Ujj\j - 0, 1,..., e - 1} (U is the 
set of roots of / g><? mod s and is independent of /). Let 

e— 1 

«=n n 

j =0 u€U , u^Utj 
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For / = 1,2, ... , g, (s, t//j) will represent the prime ideal S, of O qn lying 
above s . 

Let a € O q>n , and let a € Z> 0 . Then 

Sf|(a) iff SfO q , q ^\aO q , q -i iff Sf\aO q , q ^ iff p a Wfa. 

The penultimate statement follows from Galois theory by noting that a € K q>n . 
The last statement is essentially the first proposition of §4.10 in [11]. Hence, 
there is a computationally efficient method for determining the power of S, 
which divides (a). 

Next, consider singular integers and character signatures in K qn . Let 5 e 
Z>o. By Dirichlet’s unit theorem, E/E s can be written as the direct sum 
of at most n cyclic groups. Observing that the class number of K q n is 
less than or equal to the class number of Q(C q ) [27, Theorem 10.1], which 
is less than or equal to q qi [22], it follows that C{s) can be written as the 
direct sum of at most g 3 log 2 (<?) cyclic groups. By (*) above, G(s) can 
be written as the direct sum of at most n + </ 3 \og 2 {q) cyclic groups. Let 
H = n + q 3 log 2 (<7) + 1. By the preceding corollary, if a x , a 2 , ..., a H are 5- 
singular integers, then there exist 8 e O q n and b \, b 2 , ... , bn € Z<q such that 

GCD {b\,b 2 ,... ,b H )= 1 and n"i ■ Further, if 0, = 0 (ct,), d 2 = 

d(a 2 ), , Oh = 0{oh) are the 5-signatures of o x , o 2 , ... , oh with respect 

to some {Pi, l\), {P 2 , l 2 ), , {P z , 4), then Y!j=\ bjOj = 0. Finally, given 

the prime factorization of s , and given the 5-signatures 0 \, 0 2 , ... , Oh , the 
proofs of the preceding theorem and corollary give an algorithm to calculate 
a sequence of bj 's such that Y!j=\ bjOj = 0. This algorithm requires time at 
most 0{H 2 z\o% i {s)). 

Smooth numbers [7]. For all y € and 8 € 9t >0 , L x [y , <5] denotes the set 
of functions from 9t to of the form 

t ,(5+o(l))(logU))>’(loglog(x)) | ->' ^ x OC. 

It will be helpful in the running time analyses which follow to note that for all 

y € 9^0 , 8 € 9t>0, L G L x [y , 5 }, and c € Z >0 : 

(log (x) c )L e L x [y, 8}. 

For all a,y e with a < y, for all /?, 8 e iH >0 , L 0 e L x [y , <5], and 
L\ e L x [a, fi], there exists an L 2 e L x [y - a, (y - a)8/fi] such that for all 
N 6 9t>o, the probability that a positive integer less than or equal to Lo(N) is 
Li(AT)-smooth (i-e., has all positive prime divisors less than or equal to L\(N)) 
is at least \/L 2 (N). 

Smooth polynomials. Algorithm II depends on finding polynomials over finite 
prime fields whose irreducible factors all have small degree. Call a polynomial 
m-smooth if and only if all of its irreducible factors have degree less than or 
equal to m. The following theorem gives a bound on the probability that a 
polynomial of degree n will be m-smooth. Our bound is not the best possible 
but is adequate for our purposes. 

The following notation is generalized from Odlyzko [23], 
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Definition. For all p , n, m € Z>o with p prime, let 

N p (n , m) = #{/|/ e Z/pZ[x] & degree/ = n & / m-smooth}. 

Definition. For all p, n, m e Z> o with p prime, let 

F p («, m) = iV p («, m)/N p (n , «). 

Theorem. For all p ,n, me Z> o with p prime and n> m, we have P p (n, m) 
>1 /(p m n n i m ). 

Proof. For all /c e Z>o, let S* = {f\f e Z/pZ[x] & degree f - k & f monic 
and irreducible}, and let s k = #S k ; then (p k - p k / 2 log (k))/k <s k < p k /k [25]. 
For all k e Z>o, let T k - {f\f e Z/pZ[x] & degree / < k & / monic and 
irreducible}, and let 4 = #T k ; then 

A: A 

*a = S 5 ' - ~P i/2 log(i))/k 

i= 1 /=1 

k— 1 

= p*//: + ^(p' - p( ,+l >/ 2 log(/ + 1 ))//c >p k /k, 

i=i 

since p' > p( ,+l >/ 2 log(i +1) for / = 1,2 ,... ,k - 1. Let r be the greatest 
integer less than n/m . Let U = {/|(3/i, / 2 ,... , f r € L m )[/ = /]}, and 

let m = #{/. For all / € 17, we have / e A},(« , m) , thus m < ^(w, m). 
From probability (and the fact that Z/pZ[x] is a UFD): 

u= + > ^(p m /rn) + r- 1 j 

= ((p m /w) + r - l)\/((p m /m) - l)!r! > {p m /mr) r . 

Since r > ((n + 1 )/m) - 1, p mr > p n+ fp m , and since mr < n , there holds 
(mr) r < n n i m . Hence, (p m /mr) r > p" +1 /{p m n n/m ). Finally, since N p (n , n) = 
p" +1 , we have P p (n, m) = N p (n, m)/N p (n , n) > \/(p m n n/m ). □ 

Existence of a solution. It is possible that for a, f € GF(p”) with f f 0, 
the equation a x = f will have no solution. However, for simplicity in the 
algorithms below, it will be assumed that a is a generator for GF(p")* and 
thus that a solution always exists. In the general case on inputs a , /? e GF(p"), 
one may choose elements of GF(p") at random until a generator y is found 
and confirmed. Then use the algorithms below to calculate X \, xi e Z>q" - 1 
such that y x ' = a and y Xl - = fi. The original problem can now be solved as 
follows: calculate gi = (*i, p" - 1); if gi does not divide X 2 , then there is no 
solution, else x = l{xi/g\) modp” - 1, where / = (xi/gi) -1 mod((p" - l)/^i). 
Since generators for GF(p")* are abundant [3, Lemma 4], finding one will 
require negligible time. Further, a candidate generator y can be confirmed by 
first factoring p” - 1 and establishing that for all primes i|p" - 1, y (pl 
Using an “L[l/2, 1]” factoring method (e.g., [19]), this process will add only 
negligible time to the algorithms below. 
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Notation. For all p , n £ Z>o with p prime, if we write / e Z/pZ[x] , then it 
will be assumed that / = Y^=o a i x ‘> where for i = \ , 2 , ..., n , at £ . 

3. Algorithm I 

This algorithm will be used for discrete logarithms over GF(p") when p > n . 

Let p £ Z>o be prime and f\ £ Z/pZ[x] irreducible, monic of degree 
n. Then (Z/pZ[x])/{f\) is a finite field with p n elements. Let a \, Pi £ 
Z/pZ[x] of degree less than n such that [ai] generates (Z/pZ[x])/{f\)* and 
Pi ^ 0 mod f\. Hence, there exists an x such that 0 < x < p n - 1 and 
a* = fi\ mod f\. Assume that p, f\, a\, fi\ are given and x is sought. Then 
one may proceed as follows. 

As remarked in the introduction, it is necessary that we work in an nth- 
degree extension of the rationals which is contained in a cyclotomic field of 
small degree. For this reason, the original polynomial f\ will be replaced with 
a new irreducible monic polynomial / such that Q[x]/(f) is a field of the 
desired type. 

Using the construction in [4], find an f £ Z/pZ[x] irreducible of degree n 
in random time polynomial in log(p) and n (assuming ERH). By the con¬ 
struction in [4] (also see [ 6 ]), there exists a c £ Z >0 such that / = / 9i „ 
for some prime q £ Z >0 with q < cn 4 (log(np )) 2 (assuming ERH). We have 
(. Z/pZ[x])/{f) = (Z/pZ[x])/(fi). Using [18], calculate a 2 and p 2 6 Z/pZ[x] 
of degree less than n such that [a 2 ] is the image of [a,] and [P 2 ] is the image 
of [P\] under this isomorphism. Hence, our original problem is reduced to 
the problem: given p,f,a 2 ,p 2 with [a 2 ] generating ( Z/pZ[x])/(f )* and 
p 2 ± 0 mod /, calculate x such that 0 < x < p n - 1 and = p 2 mod /. 

Since / is irreducible in Z/pZ[x ], it follows that p is inert in K q>n . There 
exists the following isomorphism from (Z/pZ[x])/(/) to O qt „/(p): 


'n- 1 


~n- 1 (n- 1 \ 

E 8‘ x ‘ 

1 — y 

E Si I ) 

_z=0 


_,=0 \;=o / _ 


where for i = 0, 11, „ 0 = d,jri q , n j , with faj £ Z . 

Calculate a 2 , p 2 £ O such that [a 3 ] is the image of [a 2 ] and [^ 3 ] is the 
image of [p 2 ] under this isomorphism. By reducing coefficients modulo p , 
find a, p £ R q , n ,p such that a = a 3 mod p and p = p 2 mod p. Hence, the 
original problem becomes that of calculating x such that 0 < x < p n - 1 and 
a x = p mod p . 

Below, a family of algorithms {A y } ye z >0 is presented. It will be argued that 
for sufficiently large y: A y on all inputs q , n , p, a, P such that p, q £ Z>0 
are prime, n < p , n\q - 1 , q < cn 4 (log{np )) 2 , p inert in K q ^ n , and a, p £ 
Rq.n.p with [a] generating 0 Q n /{p)* and p ^ 0 mod p , outputs x such that 
0 < x < p n - 1 and a x = p mod p. 

Let L 0 £L x [l/2, vT/2]. 

Algorithm A y . 

Stage 0. Input q, n , p, a , p . 

Stage 1. Set N = p yn . Set (the “smoothness bound”) B = L 0 (N). Set 
H = n + q 3 log 2 (q) + 1. 
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Stage 2. Calculate T - {/|7 is a prime ideal of O, q 0 I , and / lies over 
a rational prime < B}. Let w — #T , and let {I\, I 2 ,..., I w ) be an ordering 
of T. 

Stage 3. Set j - 1. While j < H : 

Stage 3(a). Set z = 1. While z < w + 1 : Choose random r, s with 
0 < r, s < p n - 1 and calculate y e R q , n ,p such that y = a r fi s mod(p). If 
(y) — nr=. /f (i-e., if the ideal generated by y is 5-smooth), then set 
Yj,z = y, = r, Sj > z = s, v jtZ = {e { , e 2 ,..., e w ) , and z = z+ 1. 

Stage 3(b). Calculate a\, a 2 , ... , a w+ \ eZ^" -1 such that GCD(a,, a 2 ,... , 
a w+ 1 ) = 1 and Y?i=\ a > v jJ = (0, 0,..., 0) mod p n - 1. Calculate aj - 
m'rfj-sa j = j+i. 

Staged. For j=l,2,...,H, calculate 6j the (p"-l)-signatureof Oj with 
respect to (Si , m x ), (S 2 , m 2 ),... , (S 2H , m 2H ), where for j = 1,2, ..., H, 
k = 1,2, ... , 2H, Sk c O q n is a prime ideal such that ( <7j) + S^ = (1), 
(p n - 1)^(5^) - 1, and m * is a primitive ( p n - l)th root of unity in O/Sk ■ 

Stage 5. Calculate b\,b 2 ,... ,bn £ ^>o" _1 suc h that GCDfi,,^,..., bn) 
= 1 and Y?j =i bjdj = (0, 0 ,..., 0) mod(p" - 1). 

Stage 6. Calculate k = Y!J = \ Yl?=\ ( r j,i a ibj) and / = Y!J = \ Y,?=i( s j,i a i b j) ■ 
If a k fi l £ 1 mod(p), then go to Stage 3. 

Stage 7. If (/, p n - 1) ^ 1, then go to Stage 3, else calculate and output 
x = -k/1 mod p n - 1 and halt. 


4. Analysis of Algorithm I 

In this section computational details of Algorithm I will be described and 
there will be an analysis of the expected number of steps required by the algo¬ 
rithm on all inputs q, n, p, a, ft such that p, q e Z>o are prime with n < p, 
n\q - 1, q < c« 4 (log(np)) 2 , p inert in K q n , and a, /? e R q ,n,p with [a] 
generating O q<n /{p)* and ^ 0 mod p . For convenience, the argument will 
be for p n sufficiently large. 

To begin, consider the expected number of steps required by a single pass 
through each of the stages of the algorithm. 

The time required for Stages 0, 1,6, and 7 are dominated by the time required 
by other stages. 

Stage 2: Test all numbers less than or equal to B for primality. For each 
prime s ± q found, calculate the representatives {s, y/j) of the prime ideals of 
O q n lying above 5 and add them to T (see §2). 

Using random polynomial-time primality testing [26, 3] and random polyno¬ 
mial-time finite field polynomial factorization [5], and observing that because 
of the size constraints on q , orders can be computed naively, it follows that 
there exists an L\ € L x [\/2, \/\j2\ such that the expected number of steps for 
a pass through Stage 2 is at most L\(N). 

Further, since each rational prime has at most n primes lying over it in O q n , 
it follows that there exists an L 2 6 L x [ 1/2, ^1/2] such that w -#T < L 2 (N). 

Stage 3(a): A y will be tested for 5-smoothness by the following method: 
First the norm of y will be calculated and tested for 5-smoothness. Those y 
which have 5-smooth norms will then be factored as ideals (see §2). 
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A bound on the norm of y will be needed, 

n -1 

y = '52gi*ii, 

i=0 

where 0 < g, < p - 1 for i = 0, 11. Hence, y is the sum of q - 1 
terms each of the form gC, c q , where 0 < g < p - 1 and c € Z>q . This is also 
the form of the n conjugates of y . Hence, the norm of y = H^Gaif/c n /Q) 
is the sum of (q - 1)" terms, the largest of which has absolute value p n . By 
the constraints on q and n , it follows that there exists a yo € Z>o such that 
N(y) < p y ° n < N for all algorithms A y with y > yo • Henceforth, assume that 

y > fo¬ 
under the usual assumption [20] that the probability that N(y) is B-smooth 
(the exception of the prime q is inconsequential) is equal to the probability 
that a random positive integer less than N is B-smooth (see §2), there exists 
an L 3 € L x [ 1/2, ^/1 /2] such that the probability that y is B-smooth (i.e., 
that all prime ideals dividing (y) have norm less than or equal to B) is at 
least l/L-j(N). Since w B-smooth y’s are needed, it follows that there exists 
an L 4 G L x [ 1/2, y/2 ] such that the expected number of y’s which must be 
generated and tested for B-smoothness is at most L 4 (N). 

The norm of each y may be tested for B-smoothness naively. Hence, there 
exists an L 5 e L x [ 1 / 2 , 3/V2] such that the expected number of steps required 
for a single pass through Stage 3(a) will be at most L$(N). 

Stage 3(b): As indicated in §2, there must exist a\, ai, , a w+ i e Z>q " -1 

such that GCD(a ( , a 2 , ... , dWi) = 1 and Y!i’=\ a i v j.i = (0,0,..., 0 ) 
mod(p" - 1). Further, as indicated in §2, there exists an algorithm which 
will find a\, ai,... , a w+ \ in 0(w 3 log 2 (p")) steps. Hence, there exists an 
L 6 e L x [l/2 , 3/\/2] such that the expected time for a single pass through Stage 
3(b) is at most L 6 (N). 

Staged: Check numbers of the form l+a(q(p n - 1)) until primes s \, 52 , ... , 
SiH/n are found. For k = 1, 2,..., 2 H/n , let g k e Z> s 0 k generate Z/s^Z* 
and let g e Z>% generate Z/qZ*. For k - 1,2,..., 2H~/n ,/ = 1,2,...,«: 
Let S kJ C 0,^-1 be the prime ideal generated by 5 and Lq - c k , where 
c k = g^ p _1) mod 5 and d t = g l mod q. Let S k j = S k j n O q n . Then 
Sk, 1 , S/c ,2 > • • • » Sk, n are the (distinct, residue class degree 1) prime ideals of 
O q n lying above s k . Since s k = 1 mod q{p n - 1), it follows that 
(p"-l)\(N(S kJ )- 1) and N(S k j) > B. Since for j = 1 , 2, ..., H, ( aj ) 
is B-smooth, it follows that (Oj) + S k j = (1). Let m k = g pq mod s k . Then 
the 2 H pairs {Skj, m k ) will be as required for Stage 4. 

Assume that approximately the “expected” number of primes will be found 
in an arithmetic progression: assume that for all m, b e Z> 0 , with b > 
mlog(m) 3 : #{a\l+am < b & 1 +am prime} > b/m\og(b) 2 . If we let v = 2 H/n 
and m — q(p n - 1), then all of the v primes needed above can be found 
by checking less than v log(w) 3 log(m) 3 a' s, and each prime 5 found will 
be less than mv log(v) 3 log(m) 3 . The constraints on n and q imply that 
there exists a c \, C 2 e Z >0 such that v log(v) 3 log(m) 3 < (n\og(p)) c ' and 
tnv log(u) 3 log(w) 3 < p n {n\og{p )) Cl . Hence, the required primes can be found 
and tested for primality [3, 26] in a negligible number of steps. 
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Generators for Z/SkZ* are abundant [3, Lemma 4], Checking a candidate 
g to determine whether it is a generator will be done by factoring s - 1 and 
testing that for all primes r|s - 1, g {s ~ l V l ^ l mod 5 . The factorization can be 
done using an “L[l/2, 1]” factoring method (e.g., [19]). A similar argument 
shows that a generator for Z/qZ* can be found in a negligible number of steps. 

We have O q , „/S^ _/ = Z/s^Z , where the isomorphism is induced by C q ' 

Ck. Hence, the calculations of the (p n - l)-signatures of the cry’s is a set of 
discrete logarithm problems over Z/s^Z . Using the bounds on 2 H and the 
primes s together with an “L[l/2, 1]” discrete logarithm algorithm for finite 
prime fields (e.g., [24]), we conclude that there exists an L 7 e L x [ 1/2, 1] such 
that the expected number of steps required for a single pass through Stage 4 is 
at most Lt(N) . 

Stage 5: By the analysis in §2, the required b \, bi , ... , bn exist and can be 
found in time 0(H 3 log 3 (p n - 1)). Using the bounds on q, we conclude that 
the number of steps required for a single pass through Stage 5 is negligible. 

It will next be shown that the expected number of passes through stages of 
the algorithm is negligible. Stages will be repeated only if required in Stage 6 
or Stage 7. 

Stage 6 will cause stages of the algorithm to be repeated only if a k p l £ 
1 mod (p ). One has 

a k p i =Y\a r ’'‘ a ‘ b ’p s >' a ‘ b >= n(n<«^-r 

ij J V ' 

By construction, the cr ; are (p n - l)-singular integers. By the arguments 
in §2 there exists a 8 € O qn and b\,bi, ... ,bn € Z>(j " -1 such that 

GCD( 6 i, bi, ... , b H ) = 1 and n ^ =1 <jj J = 8 P "~ 1 . Further, G(p n - 1) is a 
group of indices dividing p n - 1, which is the direct product of at most H - 1 
cyclic groups (see §2). The signature homomorphism 6 maps G(p n - 1) into 
a group which is the direct product of 2 H cyclic groups of order p n - 1. It 
is reasonable to assume that this map is an embedding, and hence that these 
b\, bi, ... , bn are the ones found in Stage 5. It follows that 



a k p l = \[a b > =S p "= 1 . 
j 


Stage 7 will cause stages of the algorithm to be repeated only if (/, p n - 1) / 1 . 
However, (l,p n -1 ) = 1 with probability 4>{p n - 1)/(/?”-1) > 1/clogp" , where 
c e 93>o is independent of p and n [3, Lemma 4], Briefly, this can be argued as 
follows: Since from Stage 3(b), GCD(ai, ai ,... , a w+ 1 ) = 1, and from Stage 
5, GCD(&i, bi , ... , bn) — 1, it follows that for all primes t dividing p n - 1, 
there exist i e Z^ 0 W+I and j e Z~^ such that a,bj is relatively prime to t. 
Consider y, ,, = a r > ' fi s > -, and observe that for all 5 e Z^" -1 , there exists a 
unique r e Z>q” _i such that y,,, = a r p s . Hence, Sjj is “random” mod t 

and consequently / = Yfj=\ Z)/=V ( s j J a ibj) is also “random” mod t . 

Recalling that in Algorithm A y we have N = p vn , we may conclude that 
there exists a cy e 91>o and an L/ e L v [l/2, o] such that for all suffi¬ 
ciently large y , the expected number of steps required by Algorithm A v on 
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all inputs q , n , p , a , p such that p, q e Z>o are prime, n < p, n\q - \, 
q < cn 4 {log{np )) 2 , p inert in K q%n , and a, P e R q , n , P with [a] generating 
Oq, n /(p)* and ^ 0 mod p is Lj(p n ). Hence, there exists a e SK>o such 
that the expected number of steps required by Algorithm I (when n < p) is 

g , 0 (log(p")loglog(p"))' /2 . 

Finally, it is clear from Stages 6 and 7 that the output of the algorithm is x 
such that a x = P mod p . 


5. Algorithm II 

This algorithm will be used for discrete logarithms over GF(p”) when p < n . 

Algorithm II is a generalization of the algorithm for GF(2”) by Heilman and 
Reyneri discussed in Coppersmith [17, 8 ], 

It is assumed that the inputs to the algorithm are p , /, a, P such that p e 
Z> o is prime, / e Z/pZ[x] is monic, irreducible of degree n > p , and a, p e 
Z/pZ[x] of degree less than n with [a] e (Z/pZ[x])/(f) a generator of the 
multiplicative group and P ^ 0 mod /. 

Algorithm II. 

Stage 0. Input f,p,a,p. 

Stage 1. Set n = degree of f, m = \(n log(«)/ log(p)) 1 / 2 ]. 

Stage 2. Calculate T = e ZjpZ[x ], deg(/) < m, f irreducible and 
monic}. Let w = #T and let (f\, fi, , f w ) be an ordering of T. 

Stage 3. Set z = 1. While z < w + 1: Choose random r , 5 with 0 < 
r, s < p n - 1 and calculate y e Z/pZ[x] of degree less than n such that 
y = a r P s mod /. If y = y n]=i ff' > where y is the leading coefficient of y (i.e., 
if y is m-smooth), then set y z = y , r z = r , s z = s , v z = (e\ , e 2 ,... , e w ) , 
and z = z + 1 . 

Stage 4. Calculate ai,a 2 ,...,a w+l eZ^"~ l such that GCD(ai,a 2 ,...,a w+l ) 
= 1 and EZV a ' v i - (°> 0 , , 0 ) mod(p” - 1 ). 

Stage 5. Calculate k = Ya=['( r ‘ a ‘) ar| d l = S/lVC 5 ' 0 ') • Calculate 5 e Z^ 
such that s = a k P' mod /. 

Stage 6 . Calculate y e Z>g -1 such that q t((p' , - 1 )/(p-i)) = 5 mod /. 

Stage 7. If (/,/?"- 1 ) / 1 , then go to Stage 3, else calculate and output 
x = ( y{(p n - 1 )/(p - 1 )) - k)/l mod p n - 1 and halt. 

6 . Analysis of Algorithm II 

In this section the complexity of Algorithm II will be analyzed. For conve¬ 
nience it will be assumed that p n is sufficiently large. 

The time required for Stages 0, 1,5, and 7 is dominated by the time required 
by other stages. Since n > p , it follows that the y required in Stage 6 can be 
found by exhaustion in a negligible amount of time. 

Stage 2. Since every element in T is of degree at most m , 

w < p m < e ( (' !l0E( " ) / |0g(p))l/2+| ) l08(p) = e {n log(,I) Io 8 <p)) i/ 2 + 1 o 8 <p) 

< ^(log(P' l )loglOg(p")) 1 / 2 +log(p) e £ [ 1/2, 1 ] 

(observe that loglog(p”) > log(«)). Since irreducibility checking in Z/pZ[x] 
can be done in time polynomial in n and log(p) [5], there exists an L\ e 
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L p »[ 1/2, 1] such that all irreducible polynomials of degree less than or equal 
to m can be found by exhaustion within time L\. 

Stage 3. By choosing a random 0 < r < p n - 1, a r will be a random poly¬ 
nomial of degree less than n . Thus, a r 0 s will also be a random polynomial of 
degree less than n . The chances of such a random polynomial having factors 
only in T is P p {n, m) (see §2). Therefore, the expected number of execu¬ 
tions of Stage 3 is (w + 1 )/P p (n, m) < (w + l)p m n n ! m e L p n[ 1/2, 3], since 
w + l, p m e L p n[l/2, l] and n n / m < « ? lo g(' , )''/("i°g(n)/i°g(p)) 1/2 < e («iog(n)io g (p)) 1/2 e 
L p n[ 1/2, 1], Since factorization in Z/pZ[x] can be done in random polyno¬ 
mial time [5], there exists an L 2 6 L p „[ 1/2, 3] such that the expected number 
of steps required for a pass through Stage 3 is at most L 2 . 

Stage 4: As indicated in §2, there must exist a\, a 2 ,, a w+i € Z^" _l such 

that GCD(ai,a 2 ,...,<Wi) = 1 and £“LV a » v ' = (0,0 ,...,0 ) mod(p" - 1). 
Further, as follows from §2, there exists an algorithm which will calculate 
a 1 , a 2 ,... , a w+ i in 0(w 3 log 3 (p n )) steps. Hence, there exists an L 3 € 
L p n[ 1/2, 3] such that the number of steps required for a single pass through 
Stage 4 is at most L 3 . 

Next, it will be argued that the expected number of passes through Algorithm 
II is negligible. Stages will be repeated only if (l, p" - 1)^1 in Stage 7. 
However, {l, p n - 1) = 1 with probability </>(/?” - 1 )/{p n - 1) > l/clog(p"), 
where c e 9t>o is independent of p and n [3, Lemma 4], Briefly, as in the 
analysis of Algorithm I, this can be argued as follows: Since from Stage 3(b), 
GCD(a t , a 2 , ... , a w+ \) = 1, it follows that for all primes t dividing p n - 1 
there exists an i e Z^ JJ+I such that a, is relatively prime to t. Consider 
y, = a r ‘p Si , and observe that for all s e Z^” _l there exists a unique r e 
Z>q ~ 1 such that y, = a r P s . Hence, s, is “random” mod t , and consequently 

/ = Y,7=\ s ‘ a ‘ ' s a l so “random” mod t. Hence, the expected number of passes 
through each stage of the algorithm is at most cTog(p"). 

Thus, there exists an L 4 e L p * [ 1 /2, 3] such that the expected number of steps 
required by Algorithm II on inputs p, f, a, fi such that p e Z >0 is prime, 
/ e Z/pZ[x] is monic, irreducible of degree n > p , and a, p e Z/pZ[x] of 
degree less than n with [a] € (Z/pZ[x])/{f) a generator of the multiplicative 
group and y? ^ 0 mod / is at most L 4 . 

Observe that a 1 fi k = fl/tV 7?‘ ' s the product of 5 = n!=V yf times a 
(p n - l)th power. Hence, a 1 = s mod /. Next observe that since [a] 
generates the multiplicative group of (Z/pZ[x])/(f ), a ye Z>£~' such that 
a y((p”-i)/(p-i)) = s m od / must exist. Finally, it is clear from Stage 7 that the 
output of the algorithm is x such that a* = /? mod /. 
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Discussion. Little effort was made to “optimize” the algorithm presented here. 
It is possible to improve the running time in several ways. Sparse matrix meth¬ 
ods can be used to find some dependencies [28]. Smoothness of norms can be 
tested using the “elliptic curve methods” [18]. The integer factoring done in 
various parts can probably be avoided, if necessary, or “ L[ 1/3] ” methods can 
be used (e.g., [3, 20]). Also, heuristically, the expected size of q in Algorithm I 
can be argued to be less than cn(\og{np)) c for some c , c e 91>o. This will lead 
to norms of size p n (cn(\og(np)) c ) n e L p n[ 1 ,2]. Using B e L p n[ 1/2, 1] and 
the ideas above, we believe that a running time in L p n[ 1/2, 2] is achievable for 
Algorithm I. 

Several alternatives exist for our handling of the case n > p . Lovorn’s algo¬ 
rithm [21], which has a running time in L p *[ 1/2, V2 ], covers this case. Alterna¬ 
tively, Lovom’s improved bound on N p (n, m) 

together with sparse matrix techniques could be used to modify Algorithm II 
and also yield an L p „[ 1/2, \fl\ result. It would also be of interest to adapt 
Algorithm I to this setting. 

Hence, overall it appears discrete logarithms over GF(p") can be computed 
in L p n[ 1/2, 2] expected time. 

There appear to be several natural open problems. 

• Do there exist ace Z>o and an algorithm for discrete logarithms over 
GF(p") with provable expected running time in L x [\/2 , c]? 

• Does there exist an algorithm for discrete logarithms over G¥(p n ) with 
heuristic expected running time in L x [l/ 2 , 1 ]? 

• Does there exist an algorithm for discrete logarithms over GF(p") with 
provable expected running time in L x [ 1/2, 1]? 

• Do there exist ace Z >0 and an algorithm for discrete logarithms over 
GF (p n ) with heuristic expected running time in L x [l/3, c]? 
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